CAS delegated login to another CAS instance

[Pablo Vidaurri]

I have CAS on my English website delegated to Azure EntraId. That is working fine.

I also have CAS on my Chinese site also delegating login to Azure EntraId. Also working fine.

But users complain why do they have to login twice, once for each domain. For Azure EntraId I pass in query param: prompt=login so that users for my service always have to login. Let's leave it like this.

I am thinking, have my EN site continue to delegate to Azure but now have my CN CAS instance delegate to EN CAS instance. This way if no session exist on EN CAS only then will it delegate to Azure. If EN CAS session exist, then just return back to CN CAS and create my session on that domain too.

I have this for my EN CAS delegation to be used for my CN site:

cas.authn.pac4j.cas[0].login-url=https://my.en-site.com/cas/login
cas.authn.pac4j.cas[0].protocol=CAS30
cas.authn.pac4j.cas[0].auto-redirect-type=NONE
cas.authn.pac4j.cas[0].callback-url-type=PATH_PARAMETER
cas.authn.pac4j.cas[0].client-name=DelegatedCasClient
cas.authn.pac4j.cas[0].display-name=DelegatedCasClient
cas.authn.pac4j.cas[0].principal-id-attribute=id
cas.authn.pac4j.cas[0].callback-url=https://my.cn-site.com/cas/login

And of course I have my azure oidc config, main piece:

cas.authn.pac4j.oidc[0].generic.callback-url= https://my.en-site.com/cas/login
cas.authn.pac4j.oidc[0].generic.client-name=EnAzureClient

CN service file has this block:

"delegatedAuthenticationPolicy": {
      "@class": "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
      "allowedProviders": ["java.util.ArrayList", ["DelegatedCasClient":]],
      "permitUndefined": false,
      "exclusive": true

    } 

ENservice file has this block:

"delegatedAuthenticationPolicy": {
      "@class": "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
      "allowedProviders": ["java.util.ArrayList", ["EnAzureClient":]],
      "permitUndefined": false,
      "exclusive": true

    } 

This should conceptually work, correct? At the moment I am testing this on CAS v6.6.15.1 (I'm in the middle of a CAS 7.3 upgrade). But I am getting an error:  

[ERROR org.apereo.cas.web.flow.DefaultDelegatedClientAuthenticationWebflowManager](default task-4) Delegated client identifier cannot be located in the authentication request [https://my.en-site.com/cas/login?ticket=ST-1-XXXX&lang_cd=en&client_name=DelegatedCasClient 

Looking at the class, it looks like its just trying to fetch the ticket from the registry.

Is there a better way to do this?

-psv

[Ray Bon]

Pablo,

Could you have one cas and use localization https://apereo.github.io/cas/7.3.x/ux/User-Interface-Customization-Localization.html ?

There might be something on https://fawnoos.com/blog/ 

Ray

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Pablo Vidaurri <psvid...@gmail.com>
Sent: February 18, 2026 12:09
To: CAS Community <cas-...@apereo.org>
Subject: [cas-user] CAS delegated login to another CAS instance

 

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2442ba2a-cf2f-4cfb-bc62-21f3dde48034n%40apereo.org.

[Pablo Vidaurri]

This is not an localization issue, I know I probably made it confusing mentioning EN and CN domains.

Just assume I have two cas instances deployed on 2 domains on two different servers, one only having the delegated cas config.  I have tested this and I can get it to work. CAS server 2 delegates to CAS server 1 and if no session on CAS server 1 then delegate to EntraId. Then finally session is created on CAS server 1 and then redirects to CAS server 2 which then also creates the session.

Now to add a bit of complexity: these two domains resolve to different IPs but route to the same physical  server ... So I really have 2 domain running off the same CAS instance. mysite1.com/cas/login and mysite2/cas/login hit the same cas instance using the same cas config. As you can image cookies and tickets are tied to the respective host. Now when the first domain delegates the 2nd domain, the cas client name ( cas.authn.pac4j.cas[0].client-name=DelegatedCasClient) is sent along. But when the primary CAS server delegates to EntraId and returns with JWT, the CAS server complains of ticket not found because it picks up the cas-client which does not belong to it, instead it belongs to the secondary CAS server.

Maybe there is no way around this but to either have two seperate instances running with different configs or customizing a class to ignore the cas-client on the primary cas instance.

-psv